From b50ee983522f0efb5920676db545ae25b2e8998d Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 21 May 2025 16:45:21 +0000 Subject: [PATCH] Merge libapparmor/test: avoid writing __pycache__ Having a `__pycache__` on check can result in all kinds of weird issues. Notaby, the test environment is currently clearing all environment variables, including those responsible for keeping a reproducible build. This is not immediately a problem for functionality, but complicates downstream distribution in systems such as nix, where it is considered a bug [1]. It might also be possible to force determinism by exporting env vars instead: ``` DETERMINISTIC_BUILD=1 PYTHONHASHSEED=0 ``` This forces a special mode on the pycache, where instead of a `moddate`, it will then store a hash of the outputs [2]. This would be an alternative fix, but considering apparmor upstream does not (yet) test for bit-reproducibility, it is likely too fragile here. [1] https://github.com/NixOS/nixpkgs/issues/409032 [2] https://peps.python.org/pep-0552/ I understand AppArmor might or might not care about deterministic builds. I was writing this patch for nixpkgs anyways, so I might as well try to contribute it - whether it gets merged or not. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1697 Approved-by: Christian Boltz Merged-by: Christian Boltz (cherry picked from commit 9fabe25a9fbea12d00fb3f0ec04d0e3865f55981) f584505a libapparmor/test: avoid writing __pycache__ Co-authored-by: Christian Boltz --- libraries/libapparmor/swig/python/test/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libraries/libapparmor/swig/python/test/Makefile.am b/libraries/libapparmor/swig/python/test/Makefile.am index 761735a9a..7a7e0c4f4 100644 --- a/libraries/libapparmor/swig/python/test/Makefile.am +++ b/libraries/libapparmor/swig/python/test/Makefile.am @@ -15,6 +15,7 @@ PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)' TESTS = test_python.py TESTS_ENVIRONMENT = \ LD_LIBRARY_PATH='$(top_builddir)/src/.libs:$(PYTHON_DIST_BUILD_PATH)' \ - PYTHONPATH='$(PYTHON_DIST_BUILD_PATH)' + PYTHONPATH='$(PYTHON_DIST_BUILD_PATH)' \ + PYTHONDONTWRITEBYTECODE='1' endif